Does Your Cyber Policy Cover Funds ‘Stolen’ During Email Spoofing?
Ice Miller LLP
Subscriber Benefit
As a subscriber you can listen to articles at work, in the car, or while you work out. Subscribe NowAn ongoing dispute involving AIG and one of its insureds is a good reminder that the marketplace for cyber insurance is evolving rapidly as we learn more about the risks connected to online activities. The AIG dispute, which may be resolved in the coming weeks, is noteworthy for reminding us of the serious financial consequences of cyber-crime and the need for companies to understand the scope of their insurance coverage. On the positive side, from an insured’s perspective, the AIG claim is comforting in that it shows defense costs accrued in the underlying lawsuit were covered, even though AIG ultimately disputes the indemnity coverage.
Click here for more information.
Background
On October 7, AIG asked a New York federal court to toss an insured’s lawsuit seeking insurance coverage for $5.9 million stolen by suspected Chinese hackers using spoofed email addresses. AIG argued the cyber policy specifically excluded losses resulting from fraudulent or criminal acts. Four days later, the insured countered, saying the exclusion only applied to losses resulting from its own fraudulent or criminal acts, rather than a hacker’s.
SS&C Technologies, the insured in the case, is a financial technology company that administers accounts for its investment fund clients. In March 2016, Hong Kong-based hackers used spoofed email addresses to pose as an SS&C client requesting fund transfers. Believing the emails came from its client, SS&C transferred over $5.9 million to the scammers’ fraudulent accounts. Shortly after, the client sued SS&C to recover the money transferred.
Throughout the lawsuit against SS&C, its insurer AIG covered the defense costs but denied coverage for any settlement or judgment arising out of the email spoofing attack based on several exclusions in SS&C’s policy. After the lawsuit settled, SS&C sought coverage from AIG for the settlement payment; however, AIG denied coverage and SS&C sued.[1]
Dispute Over Cyber Policy’s Coverage of Spoofing Attacks
The coverage dispute has centered on the policy’s so-called “Fraud Exclusion,” which specifically excludes losses “alleging, arising out of, based upon or attributable to a dishonest, fraudulent, criminal or malicious act, error or omission, or any intentional or knowing violation of the law.” According to AIG, this provision excludes any losses “arising out of” “fraudulent” or “criminal [acts].” In response, SS&C argued the exclusion does not apply when a third-party — such as a hacker — commits the fraudulent or criminal act. Instead, SS&C claimed the exclusion is limited to instances where SS&C engages in fraudulent or criminal acts.
Takeaways
Cyber insurance is quickly evolving as insurers and insureds learn more about risks connected to online activities. In the coming weeks, the New York federal court will rule on this issue. But regardless of how it rules, there are several noteworthy takeaways from this case:
- Growing Consequences of Cyber Risks: At the core of this case is the loss of nearly $6 million from a series of spoofed emails. Based on the complaint in the underlying lawsuit, the hackers posed as SS&C client Tillage Commodities Fund with email addresses that spelled “Tillage” as “Tilllage.” Additionally, the hackers used “awkward syntax and grammatical errors, which were wholly inconsistent with prior Tillage communications…” This case highlights the importance of establishing cybersecurity programs and best practices to identify similar spoofing tactics to protect against significant losses.
- Know Your Coverage: Cyber insurance policies, like the one at issue here, vary among insurers and provide different coverages for computer fraud. Other policy types, such as commercial crime policies, often contemplate computer fraud coverage that, unlike cyber policies, have been extensively litigated.[2]
- Defense Cost Coverage: Like most policies, AIG’s policy covered defense costs for SS&C in certain instances. Of note, AIG paid for SS&C’s defense costs in the underlying lawsuit even though AIG denied coverage for indemnity costs. As is typically the case, defense costs coverage is broader than liability coverage. Insurers might seek to recoup defense costs, but, as an initial matter, many like AIG will cover the cost to defend against a lawsuit.
For guidance on responding to cyber incidents to minimize the risk or litigation and handling such litigation if it occurs, please contact Guillermo Christensen, Nick Merker or Christian Robertson. Guillermo, a former CIA intelligence officer and a diplomat with the U.S. Department of State, is a partner in Ice Miller’s Data Security and Privacy and White Collar Defense Practices. Nick Merker is a partner and co-chair of Ice Miller’s Data Security and Privacy Practice Group. Christian is an associate in Ice Miller’s Litigation Practice.
This publication is intended for general information purposes only and does not and is not intended to constitute legal advice. The reader should consult with legal counsel to determine how laws or decisions discussed herein apply to the reader’s specific circumstances.
[1] Complaint, SS&C Techs. Holdings, Inc. v. AIG Specialty Ins. Co., 19-cv-7859 (S.D. NY Aug. 21, 2019).
[2] See Covering Phishing & Other Social Engineering Attacks: The State of Play in Computer Fraud Insurance